Add a GitHub Action to automatically scan for vulnerable dependencies #209
Conversation
|
@GrapeBaBa I'm done with the github action, please check it out |
Many thanks your contribution, my original idea is to use https://github.com/paradigmxyz/op-rs/blob/main/.github/dependabot.yml to automatically upgrade dependencies. Can you research this to see if it can be used for Java projects? |
|
@GrapeBaBa I'm confused now, but the issue says to scan for vulnerable dependencies and output them. Why not merge this and create a new issue with upgrading the dependencies? |
Ok, let me try it first to see how long will it run. It may be need long time to check so that we may consider not to trigger it every PR. |
|
@GrapeBaBa the time can be reduced if you get an API key from here https://nvd.nist.gov/developers/request-an-api-key |
|
I think 27 mins is a reasonable wait time. Well, getting an API key can drastically reduce the time but it will now introduce rate limits which in my own opinion is not a good thing because that will throw a 403 error and cause the CI to fail. If this is cool with you, you can merge so I can start working on the dependabot for upgrading dependencies. |
Thanks you very much. |
|
@GrapeBaBa sorry I'm asking so much, can I start working on the upgrade? |
Yes, feel free to create issues and PRs. |
|
@GrapeBaBa please my only dust account is not updated with my contributions. Just to know if you are meant to report my contribution as done or it would be done automatically. |
Can you see it right now? I am not quite sure how to operate on only dust. |
|
@GrapeBaBa it's the application that was accepted and not marked done yet. |
fixes #207